From db8ba118f3877663f25de01b02216169d0d95bfe Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Mon, 13 May 2024 13:39:04 -0400 Subject: [PATCH] Implement prefetch-dependencies-oci-ta Task Ref: EC-551 Signed-off-by: Luiz Carvalho --- .../0.1/README.md | 18 +++-- .../0.1/prefetch-dependencies-oci-ta.yaml | 67 +++++++++++++++---- 2 files changed, 67 insertions(+), 18 deletions(-) diff --git a/task/prefetch-dependencies-oci-ta/0.1/README.md b/task/prefetch-dependencies-oci-ta/0.1/README.md index 6a6914bb3e..bd9c44e717 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/README.md +++ b/task/prefetch-dependencies-oci-ta/0.1/README.md @@ -1,19 +1,29 @@ -# prefetch-dependencies task +# prefetch-dependencies-oci-ta task -Task that uses Cachi2 to prefetch build dependencies. -See docs at https://github.com/containerbuildsystem/cachi2#basic-usage. +Task that uses Cachi2 to prefetch build dependencies. The fetched dependencies and the +application source code are stored as a trusted artifact in the provided OCI repository. +For additional info on Cachi2, see docs at +https://github.com/containerbuildsystem/cachi2#basic-usage. ## Parameters |name|description|default value|required| |---|---|---|---| |input|Configures project packages that will have their dependencies prefetched.||true| +|source-artifact|The trusted artifact URI containing the application source code.||true| +|oci-storage|The OCI repository where the trusted artifacts with the modified cloned repository and the prefetched depedencies will be stored.||true| +|image-expires-after|Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.|""|false| |dev-package-managers|Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false| |log-level|Set cachi2 log level (debug, info, warning, error)|info|false| |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +## Results +|name|description| +|---|---| +|source-artifact|The trusted artifact URI containing the modified application source.| +|cachi2-artifact|The trusted artifact URI containing the fetched dependencies.| + ## Workspaces |name|description|optional| |---|---|---| -|source|Workspace with the source code, cachi2 artifacts will be stored on the workspace as well|false| |git-basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. |true| diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml index 5d35df2cc1..3de8f89810 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml +++ b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml @@ -1,3 +1,4 @@ +--- apiVersion: tekton.dev/v1 kind: Task metadata: @@ -6,14 +7,30 @@ metadata: annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "image-build, hacbs" - name: prefetch-dependencies + name: prefetch-dependencies-oci-ta spec: description: |- - Task that uses Cachi2 to prefetch build dependencies. - See docs at https://github.com/containerbuildsystem/cachi2#basic-usage. + Task that uses Cachi2 to prefetch build dependencies. The fetched dependencies and the + application source code are stored as a trusted artifact in the provided OCI repository. + For additional info on Cachi2, see docs at + https://github.com/containerbuildsystem/cachi2#basic-usage. params: - description: Configures project packages that will have their dependencies prefetched. name: input + - description: The trusted artifact URI containing the application source code. + name: source-artifact + type: string + - description: >- + The OCI repository where the trusted artifacts with the modified cloned repository and + the prefetched depedencies will be stored. + name: oci-storage + type: string + - description: >- + Expiration date for the trusted artifacts created in the OCI repository. An empty string means + the artifacts do not expire. + name: image-expires-after + type: string + default: "" - description: > Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. @@ -30,11 +47,24 @@ spec: type: string description: The name of the key in the ConfigMap that contains the CA bundle data. default: ca-bundle.crt + results: + - description: The trusted artifact URI containing the modified application source. + name: source-artifact + type: string + - description: The trusted artifact URI containing the fetched dependencies. + name: cachi2-artifact + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir steps: + # TODO: Find the right image + - image: quay.io/redhat-user-workloads/rhtap-build-tenant/trusted-artifacts/trusted-artifacts:e8d9e76c49161d70386276b1592061907097e63b@sha256:721ec9440781e719064037b07f89495d11fda57bdf4a0419bba30dcf8b435827 + name: use-trusted-artifact + args: + - use + - $(params.source-artifact)=/var/workdir/source - image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. name: prefetch-dependencies env: - name: INPUT @@ -72,7 +102,7 @@ spec: cp "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" "${HOME}/.gitconfig" # Compatibility with kubernetes.io/basic-auth secrets elif [ -f "${WORKSPACE_GIT_AUTH_PATH}/username" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/password" ]; then - HOSTNAME=$(cd "$(workspaces.source.path)/source" && git remote get-url origin | awk -F/ '{print $3}') + HOSTNAME=$(cd /var/workdir/source && git remote get-url origin | awk -F/ '{print $3}') echo "https://$(cat ${WORKSPACE_GIT_AUTH_PATH}/username):$(cat ${WORKSPACE_GIT_AUTH_PATH}/password)@$HOSTNAME" > "${HOME}/.git-credentials" echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${HOME}/.gitconfig" else @@ -92,20 +122,27 @@ spec: cachi2 --log-level="$LOG_LEVEL" fetch-deps \ $dev_pacman_flag \ - --source=$(workspaces.source.path)/source \ - --output=$(workspaces.source.path)/cachi2/output \ + --source=/var/workdir/source \ + --output=/var/workdir/cachi2/output \ "${INPUT}" - cachi2 --log-level="$LOG_LEVEL" generate-env $(workspaces.source.path)/cachi2/output \ + cachi2 --log-level="$LOG_LEVEL" generate-env /var/workdir/cachi2/output \ --format env \ --for-output-dir=/cachi2/output \ - --output $(workspaces.source.path)/cachi2/cachi2.env + --output /var/workdir/cachi2/cachi2.env - cachi2 --log-level="$LOG_LEVEL" inject-files $(workspaces.source.path)/cachi2/output \ + cachi2 --log-level="$LOG_LEVEL" inject-files /var/workdir/cachi2/output \ --for-output-dir=/cachi2/output + # TODO: Find the right image + - image: quay.io/redhat-user-workloads/rhtap-build-tenant/trusted-artifacts/trusted-artifacts:e8d9e76c49161d70386276b1592061907097e63b@sha256:721ec9440781e719064037b07f89495d11fda57bdf4a0419bba30dcf8b435827 + name: create-trusted-artifact + args: + - create + - --store + - $(params.oci-storage) + - $(results.source-artifact.path)=/var/workdir/source + - $(results.cachi2-artifact.path)=/var/workdir/cachi2 workspaces: - - name: source - description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well - name: git-basic-auth description: | A Workspace containing a .gitconfig and .git-credentials file or username and password. @@ -114,6 +151,8 @@ spec: to bind a Secret to this Workspace over other volume types. optional: true volumes: + - name: workdir + emptyDir: {} - name: trusted-ca configMap: name: $(params.caTrustConfigMapName)